Fix path_entries encoding (#4823)

* Fix path_entries encoding
#fix https://github.com/FreshRSS/FreshRSS/issues/4815

* Fix preview

6 files changed, 13 insertions, 6 deletions

diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index 09b5ed88c..319faece8 100755
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -934,13 +934,13 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 		}
 
 		$attributes = $feed->attributes();
-		$attributes['path_entries_filter'] = trim(Minz_Request::param('selector_filter', ''));
+		$attributes['path_entries_filter'] = trim(Minz_Request::param('selector_filter', '', true));
 
 		//Fetch & select content.
 		try {
 			$fullContent = FreshRSS_Entry::getContentByParsing(
 				htmlspecialchars_decode($entry->link(), ENT_QUOTES),
-				$content_selector,
+				htmlspecialchars_decode($content_selector, ENT_QUOTES),
 				$attributes
 			);
 
diff --git a/app/Models/Category.php b/app/Models/Category.php
index e5da764d3..c4ca12fd3 100644
--- a/app/Models/Category.php
+++ b/app/Models/Category.php
@@ -54,6 +54,7 @@ class FreshRSS_Category extends Minz_Model {
 	public function kind(): int {
 		return $this->kind;
 	}
+	/** @return string HTML-encoded name of the category */
 	public function name(): string {
 		return $this->name;
 	}
diff --git a/app/Models/Entry.php b/app/Models/Entry.php
index 12cef68a5..47fcf3b4a 100644
--- a/app/Models/Entry.php
+++ b/app/Models/Entry.php
@@ -184,6 +184,7 @@ class FreshRSS_Entry extends Minz_Model {
 		return null;
 	}
 
+	/** @return string HTML-encoded link of the entry */
 	public function link(): string {
 		return $this->link;
 	}
@@ -589,10 +590,10 @@ class FreshRSS_Entry extends Minz_Model {
 				$this->content = $entry->content();
 			} else {
 				try {
-					// l’article n’est pas en BDD, on va le chercher sur le site
+					// The article is not yet in the database, so let’s fetch it
 					$fullContent = self::getContentByParsing(
 						htmlspecialchars_decode($this->link(), ENT_QUOTES),
-						$feed->pathEntries(),
+						htmlspecialchars_decode($feed->pathEntries(), ENT_QUOTES),
 						$feed->attributes()
 					);
 					if ('' !== $fullContent) {
diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index 32b22edf2..f24ec1884 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -145,6 +145,7 @@ class FreshRSS_Feed extends Minz_Model {
 	public function name($raw = false): string {
 		return $raw || $this->name != '' ? $this->name : preg_replace('%^https?://(www[.])?%i', '', $this->url);
 	}
+	/** @return string HTML-encoded URL of the Web site of the feed */
 	public function website(): string {
 		return $this->website;
 	}
@@ -157,6 +158,7 @@ class FreshRSS_Feed extends Minz_Model {
 	public function priority(): int {
 		return $this->priority;
 	}
+	/** @return string HTML-encoded CSS selector */
 	public function pathEntries(): string {
 		return $this->pathEntries;
 	}
@@ -192,6 +194,7 @@ class FreshRSS_Feed extends Minz_Model {
 		return $this->ttl;
 	}
 
+	/** @return mixed attribute (if $key is not blank) or array of attributes, not HTML-encoded */
 	public function attributes($key = '') {
 		if ($key == '') {
 			return $this->attributes;
@@ -301,6 +304,7 @@ class FreshRSS_Feed extends Minz_Model {
 	public function _priority($value) {
 		$this->priority = intval($value);
 	}
+	/** @param string $value HTML-encoded CSS selector */
 	public function _pathEntries(string $value) {
 		$this->pathEntries = $value;
 	}
@@ -320,6 +324,7 @@ class FreshRSS_Feed extends Minz_Model {
 		$this->mute = $value < self::TTL_DEFAULT;
 	}
 
+	/** @param mixed $value Value, not HTML-encoded */
 	public function _attributes(string $key, $value) {
 		if ($key == '') {
 			if (is_string($value)) {
diff --git a/app/Services/ImportService.php b/app/Services/ImportService.php
index a4ef547ba..28286a753 100644
--- a/app/Services/ImportService.php
+++ b/app/Services/ImportService.php
@@ -165,7 +165,7 @@ class FreshRSS_Import_Service {
 			foreach ($feed_elt as $key => $value) {
 				if (is_array($value) && !empty($value['value']) && ($value['namespace'] ?? '') === FreshRSS_Export_Service::FRSS_NAMESPACE) {
 					switch ($key) {
-						case 'cssFullContent': $feed->_pathEntries($value['value']); break;
+						case 'cssFullContent': $feed->_pathEntries(Minz_Helper::htmlspecialchars_utf8($value['value'])); break;
 						case 'cssFullContentFilter': $feed->_attributes('path_entries_filter', $value['value']); break;
 						case 'filtersActionRead': $feed->_filtersAction('read', preg_split('/[\n\r]+/', $value['value'])); break;
 						case 'xPathItem': $xPathSettings['item'] = $value['value']; break;
diff --git a/app/views/helpers/export/opml.phtml b/app/views/helpers/export/opml.phtml
index 1ee030cdf..d97641fd2 100644
--- a/app/views/helpers/export/opml.phtml
+++ b/app/views/helpers/export/opml.phtml
@@ -40,7 +40,7 @@ function feedsToOutlines($feeds, $excludeMutedFeeds = false): array {
 			$outline['frss:filtersActionRead'] = ['namespace' => FreshRSS_Export_Service::FRSS_NAMESPACE, 'value' => $filters];
 		}
 		if ($feed->pathEntries() != '') {
-			$outline['frss:cssFullContent'] = ['namespace' => FreshRSS_Export_Service::FRSS_NAMESPACE, 'value' => $feed->pathEntries()];
+			$outline['frss:cssFullContent'] = ['namespace' => FreshRSS_Export_Service::FRSS_NAMESPACE, 'value' => htmlspecialchars_decode($feed->pathEntries(), ENT_QUOTES)];
 		}
 		if ($feed->attributes('path_entries_filter') != '') {
 			$outline['frss:cssFullContentFilter'] = ['namespace' => FreshRSS_Export_Service::FRSS_NAMESPACE, 'value' => $feed->attributes('path_entries_filter')];